We discover new interesting malvertising cases on a daily basis.
For instance, on April 30, 2016, Cyphort crawler found that popular US website PerezHilton.com was redirecting users to an Angler Exploit Kit. According to SimilarWeb, PerezHilton.com has half a million visitors every day!
Here is the infection chain in this case:
In the screenshot below you can see the IFRAME leading to Angler’s landing page. After browser exploitation, Angler typically drops Bedep malware which will further download and infect the victim’s machine with CryptXXX ransomware.
It looks like som.barkisdesign.com was also the culprit in the attacks on CBS-affiliated Television Stations that our friends at MalwareBytes blogged about recently.
We have seen other popular websites in early May using the same som.barkisdesign.com redirector:
- www.aporrea.org on May 2
- www.nowtheendbegins.com on May 2
- www.lolking.net on May 3
On May 6 we have seen PerezHilton infected again! This time the chain is:
Note that this infection is different:
- different Exploit kit,
- using redirector from AOL (adtechus.com)
- using Amazon Cloudfront CDN to distribute the malware
Malvertising continues to be one of the preferred vectors for attackers to compromise users’ machines with malware. Many users fought back by disabling all advertising to secure themselves. Nearly 200 Million now use Adblock, according to Statista. In 2015, this form of ad blocking cost publishers nearly $22 Billion dollars.
Here is the graphic on the growth of Adblock users.
Malvertising is effective because users tend to trust mainstream, high-trafficked “clean” websites. The attackers abuse this trust to infect them via third-party ad content.
Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains, and leverage the latest threat intelligence to power these monitoring systems.
We predict that malvertising will continue to rise and we will continue to track malvertising, and will share further updates on this blog.